• To allow a device with a private IPv4 address to access devices and resources outside of the local network, the private address must first be translated to a public address... NAT Char
Trang 1Module 6: NAT for IPv4
Trang 2Module Objectives
Module Title: NAT for IPv4
Module Objective: Configure NAT services on the edge router to provide IPv4 address
scalability
Topic Title Topic Objective
NAT Characteristics Explain the purpose and function of NAT.
Types of NAT Explain the operation of different types of NAT.
NAT Advantages and Disadvantages Describe the advantages and disadvantages of NAT.
Static NAT Configure static NAT using the CLI.
Dynamic NAT Configure dynamic NAT using the CLI.
Trang 36.1 NAT Characteristics
Trang 4NAT Characteristics
IPv4 Address Space
• Networks are commonly implemented
using private IPv4 addresses, as defined
in RFC 1918
• Private IPv4 addresses cannot be routed
over the internet and are used within an
organization or site to allow devices to
communicate locally
• To allow a device with a private IPv4
address to access devices and
resources outside of the local network,
the private address must first be
translated to a public address
Class Activity Type Activity Name
A 10.0.0.0 – 10.255.255.255 10.0.0.0/8
B 172.16.0.0 – 172.31.255.255 172.16.0.0/12
C 192.168.0.0 – 192.168.255.255 192.168.0.0/1
6
Trang 5NAT Characteristics
What is NAT
• The primary use of NAT is to conserve
public IPv4 addresses
• NAT allows networks to use private IPv4
addresses internally and translates them
to a public address when needed
• A NAT router typically operates at the
border of a stub network
• When a device inside the stub network
wants to communicate with a device
outside of its network, the packet is
forwarded to the border router which
performs the NAT process, translating
Trang 6NAT Characteristics
How NAT Works
PC1 wants to communicate with an outside web server with
public address 209.165.201.1.
1 PC1 sends a packet addressed to the web server
2 R2 receives the packet and reads the source IPv4
address to determine if it needs translation.
3 R2 adds mapping of the local to global address to the NAT
table.
4 R2 sends the packet with the translated source address
toward the destination.
5 The web server responds with a packet addressed to the
inside global address of PC1 (209.165.200.226).
6 R2 receives the packet with destination address
209.165.200.226 R2 checks the NAT table and finds an
entry for this mapping R2 uses this information and
Trang 7NAT Characteristics
NAT Terminology
NAT includes four types of addresses:
• Inside local address
• Inside global address
• Outside local address
• Outside global address
NAT terminology is always applied from the perspective of the device with the
translated address:
• Inside address - The address of the device which is being translated by NAT.
• Outside address - The address of the destination device.
• Local address - A local address is any address that appears on the inside portion
of the network
Trang 8NAT Characteristics
NAT Terminology (Cont.)
Inside local address
The address of the source as seen from inside the network
This is typically a private IPv4 address The inside local
address of PC1 is 192.168.10.10.
Inside global addresses
The address of source as seen from the outside network
The inside global address of PC1 is 209.165.200.226
Outside global address
The address of the destination as seen from the outside
network The outside global address of the web server is
209.165.201.1
Outside local address
The address of the destination as seen from the inside
network PC1 sends traffic to the web server at the IPv4
Trang 96.2 Types of NAT
Trang 10Types of NAT
Static NAT
Static NAT uses a one-to-one mapping of
local and global addresses configured by
the network administrator that remain
constant
• Static NAT is useful for web servers or
devices that must have a consistent
address that is accessible from the
internet, such as a company web server
• It is also useful for devices that must be
accessible by authorized personnel when
offsite, but not by the general public on
the internet
Trang 11Types of NAT
Dynamic NAT
Dynamic NAT uses a pool of public
addresses and assigns them on a
first-come, first-served basis
• When an inside device requests access
to an outside network, dynamic NAT
assigns an available public IPv4 address
from the pool
• The other addresses in the pool are still
available for use
Note: Dynamic NAT requires that enough
public addresses are available to satisfy the
total number of simultaneous user sessions
Trang 12Types of NAT
Port Address Translation
Port Address Translation (PAT), also known
as NAT overload, maps multiple private
IPv4 addresses to a single public IPv4
address or a few addresses
• With PAT, when the NAT router receives
a packet from the client, it uses the
source port number to uniquely identify
the specific NAT translation
• PAT ensures that devices use a different
TCP port number for each session with
a server on the internet
Trang 13Types of NAT
Next Available Port
PAT attempts to preserve the original
source port If the original source port is
already used, PAT assigns the first
available port number starting from the
beginning of the appropriate port group
0-511, 512-1,023, or 1,024-65,535
• When there are no more ports available
and there is more than one external
address in the address pool, PAT moves
to the next address to try to allocate the
original source port
• The process continues until there are no
more available ports or external IPv4
Trang 14Types of NAT
NAT and PAT Comparison
Summary of the differences between NAT
and PAT
NAT - Only modifies the IPv4 addresses
PAT - PAT modifies both the IPv4 address and
the port number.
Inside Global Address Inside Local Address
One Inside Global address can be mapped to many Inside Local addresses.
Uses only IPv4 addresses
in translation process.
Uses IPv4 addresses and TCP or UDP source port numbers in translation process.
A unique Inside Global address is required for each inside host accessing the outside network.
A single unique Inside Global address can be shared by many inside hosts accessing the outside network.
Trang 15Types of NAT
Packets without a Layer 4 Segment
Some packets do not contain a Layer 4 port number, such as ICMPv4
messages Each of these types of protocols is handled differently by PAT.
For example, ICMPv4 query messages, echo requests, and echo replies
include a Query ID ICMPv4 uses the Query ID to identify an echo request
with its corresponding echo reply.
Note: Other ICMPv4 messages do not use the Query ID These messages and other
protocols that do not use TCP or UDP port numbers vary and are beyond the scope
of this curriculum
Trang 16Types of NAT
Packet Tracer – Investigate NAT Operations
In this Packet Tracer, you will complete the following objectives:
• Investigate NAT operation across the intranet
• Investigate NAT operation across the internet
• Conduct further investigations
Trang 176.3 NAT Advantages and
Disadvantages
Trang 18NAT Advantages and Disadvantages
Advantages of NAT
NAT provides many benefits:
• NAT conserves the legally registered addressing scheme by allowing the
privatization of intranets
• NAT conserves addresses through application port-level multiplexing
• NAT increases the flexibility of connections to the public network
• NAT provides consistency for internal network addressing schemes
• NAT allows the existing private IPv4 address scheme to remain while allowing for
easy change to a new public addressing scheme
• NAT hides the IPv4 addresses of users and other devices
Trang 19NAT Advantages and Disadvantages
Disadvantages of NAT
NAT does have drawbacks:
• NAT increases forwarding delays
• End-to-end addressing is lost
• End-to-end IPv4 traceability is lost
• NAT complicates the use of tunneling protocols, such as IPsec
• Services that require the initiation of TCP connections from the outside network, or
stateless protocols, such as those using UDP, can be disrupted
Trang 206.4 Static NAT
Trang 21Static NAT
Static NAT Scenario
• Static NAT is a one-to-one mapping
between an inside address and an
outside address
• Static NAT allows external devices
to initiate connections to internal
devices using the statically
assigned public address
• For instance, an internal web server
may be mapped to a specific inside
global address so that it is
accessible from outside networks.
Trang 22Static NAT
Configure Static NAT
There are two basic tasks when configuring static NAT translations:
• Step 1 - Create a mapping between the inside local address and the inside global
addresses using the ip nat inside source static command.
• Step 2 - The interfaces participating in the translation are configured as inside or
outside relative to NAT with the ip nat inside and ip nat outside commands.
R2(config)# ip nat inside source static 192.168.10.254 209.165.201.5
Trang 23Static NAT
Analyze Static NAT
The static NAT translation process between the
client and the web server:
1 The client sends a packet to the web server
2 R2 receives packets from the client on its NAT
outside interface and checks its NAT table
3 R2 translates the inside global address of to the
inside local address and forwards the packet
towards the web server
4 The web server receives the packet and responds
to the client using its inside local address
5 (a) R2 receives the packet from the web server on
its NAT inside interface with source address of
the inside local address of the web server and (b)
Trang 24Static NAT
Verify Static NAT
To verify NAT operation, issue the show ip nat translations command.
• This command shows active NAT translations
• Because the example is a static NAT configuration, the translation is always present in the NAT table regardless of any active communications
• If the command is issued during an active session, the output also indicates the
address of the outside device
R2# show ip nat translations
Pro Inside global Inside local Outside local Outside global
209.165.201.5 192.168.10.254
-Total number of translations: 1
R2# show ip nat translations
Trang 25Static NAT
Verify Static NAT (Cont.)
Another useful command is show ip nat statistics.
• It displays information about the total number of active translations, NAT
configuration parameters, the number of addresses in the pool, and the number of
addresses that have been allocated
• To verify that the NAT translation is working, it is best to clear statistics from any
past translations using the clear ip nat statistics command before testing.
R2# show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/1/1
Inside interfaces:
Serial0/1/0
Trang 26Static NAT
Packet Tracer – Configure Static NAT
In this Packet Tracer, you will complete the following objectives:
• Test Access without NAT
• Configure Static NAT
• Test Access with NAT
Trang 276.5 Dynamic NAT
Trang 28Static NAT
Dynamic NAT Scenario
• Dynamic NAT automatically maps
inside local addresses to inside
global addresses.
• Dynamic NAT uses a pool of inside
global addresses.
• The pool of inside global addresses
is available to any device on the
inside network on a come
first-served basis.
• If all addresses in the pool are in
use, a device must wait for an
Trang 29Static NAT
Configure Dynamic NAT
There are five tasks when configuring dynamic NAT translations:
• Step 1 - Define the pool of addresses that will be used for translation using the ip
nat pool command
• Step 2 - Configure a standard ACL to identify (permit) only those addresses that
are to be translated
• Step 3 - Bind the ACL to the pool, using the ip nat inside source list command.
R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224 R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL1
Trang 30Static NAT
Configure Dynamic NAT (Cont.)
There are five tasks when configuring dynamic NAT translations:
• Step 4 - Identify which interfaces are inside
• Step 5 - Identify which interfaces are outside
R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224
R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL1
R2(config)# interface serial 0/1/0
R2(config-if)# ip nat inside
R2(config-if)# interface serial 0/1/1
R2(config-if)# ip nat outside
Trang 31Static NAT
Analyze Dynamic NAT – Inside to Outside
Dynamic NAT translation process:
1 PC1 and PC2 send packets requesting a
connection to the server
2 R2 receives the first packet from PC1,
checks the ALC to determine if the packet
should be translated, selects an available
global address, and creates a translation
entry in the NAT table
3 R2 replaces the inside local source address
of PC1, 192.168.10.10, with the translated
inside global address of 209.165.200.226
and forwards the packet (The same process
Trang 32Static NAT
Analyze Dynamic NAT – Outside to Inside
Dynamic NAT translation process:
4 The server receives the packet from PC1 and
responds using the destination address of
209.165.200.226 The server receives the packet
from PC2, it responds to using the destination
address of 209.165.200.227.
5 (a) When R2 receives the packet with the
destination address of 209.165.200.226; it
performs a NAT table lookup and translates the
address back to the inside local address and
forwards the packet toward PC1.
(b) When R2 receives the packet with the
destination address of 209.165.200.227; it
performs a NAT table lookup and translates the
Trang 33Static NAT
Analyze Dynamic NAT – Outside to Inside (Cont.)
Dynamic NAT translation process:
6 PC1 and PC2 receive the packets and
continue the conversation The router
performs Steps 2 to 5 for each packet.
Trang 34Static NAT
Verify Dynamic NAT
The output of the show ip nat translations command displays all static
translations that have been configured and any dynamic translations that
have been created by traffic.
R2# show ip nat translations
Pro Inside global Inside local Outside local Outside global
209.165.200.228 192.168.10.10
209.165.200.229 192.168.11.10
-R2#
Trang 35Static NAT
Verify Dynamic NAT (Cont.)
Adding the verbose keyword displays additional information about each
translation, including how long ago the entry was created and used.
R2# show ip nat translation verbose
Pro Inside global Inside local Outside local Outside global
Trang 36Static NAT
Verify Dynamic NAT (Cont.)
By default, translation entries time out after 24 hours, unless the timers have been
reconfigured with the ip nat translation timeout timeout-seconds command in global
configuration mode To clear dynamic entries before the timeout has expired, use the
clear ip nat translation privileged EXEC mode command.
R2# clear ip nat translation *
R2# show ip nat translation
clear ip nat translation * Clears all dynamic address translation entries from the
NAT translation table.
clear ip nat translation inside global-ip
local-ip [outside local-ip global-ip] Clears a simple dynamic translation entry containing an inside translation or both inside and outside translation.
Trang 37Static NAT
Verify Dynamic NAT (Cont.)
The show ip nat statistics command displays information about the total number of
active translations, NAT configuration parameters, the number of addresses in the
pool, and how many of the addresses have been allocated
R2# show ip nat statistics
Total active translations: 4 (0 static, 4 dynamic; 0 extended)
Peak translations: 4, occurred 00:31:43 ago
[Id: 1] access-list 1 pool NAT-POOL1 refcount 4
pool NAT-POOL1: netmask 255.255.255.224
start 209.165.200.226 end 209.165.200.240